diff options
| author | Petr Spacek <pspacek@redhat.com> | 2015-08-31 18:01:12 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2015-09-03 18:20:36 +0200 |
| commit | d24db5d9215e45397942438cf77376e6f409a70d (patch) | |
| tree | 31a024d8a0bc6a7247df5314f302cc2adbd935bd | |
| parent | f1436c4ed89e96312d65e648e0b4ee47fa3a21a4 (diff) | |
| download | freeipa-d24db5d9215e45397942438cf77376e6f409a70d.tar.gz freeipa-d24db5d9215e45397942438cf77376e6f409a70d.tar.xz freeipa-d24db5d9215e45397942438cf77376e6f409a70d.zip | |
DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction
https://fedorahosted.org/freeipa/ticket/5273
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
| -rwxr-xr-x | daemons/dnssec/ipa-ods-exporter | 39 |
1 files changed, 31 insertions, 8 deletions
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index 13dd2ced1..7838340c3 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -369,12 +369,12 @@ def parse_command(cmd): """ if cmd == 'ipa-hsm-update': return (0, - 'HSM synchronization finished, exiting.', + 'HSM synchronization finished, skipping zone synchronization.', None) elif cmd == 'ipa-full-update': return (None, - 'Synchronization of all zones requested.', + 'Synchronization of all zones was finished.', None) elif not cmd.startswith('update '): @@ -387,7 +387,7 @@ def parse_command(cmd): else: zone_name = cmd2ods_zone_name(cmd) return (None, - 'Update request for zone "%s" queued.\n' % zone_name, + 'Zone was "%s" updated.\n' % zone_name, zone_name) def send_systemd_reply(conn, reply): @@ -542,18 +542,29 @@ except KeyError as e: exitcode, msg, zone_name = parse_command(cmd) -if conn: - send_systemd_reply(conn, msg) if exitcode is not None: + if conn: + send_systemd_reply(conn, msg) log.info(msg) sys.exit(exitcode) else: log.debug(msg) # Open DB directly and read key timestamps etc. -with ods_db_lock(): - db = sqlite3.connect(paths.OPENDNSSEC_KASP_DB, - isolation_level="EXCLUSIVE") +db = None +try: + # LOCK WARNING: + # ods-enforcerd is holding kasp.db.our_lock when processing all zones and + # the lock is unlocked only after all calls to ods-signer are finished, + # i.e. when ods-enforcerd receives reply from each ods-signer call. + # + # Consequently, ipa-ods-exporter (ods-signerd implementation) must not + # request kasp.db.our_lock to prevent deadlocks. + # SQLite transaction isolation should suffice. + # Beware: Reply can be sent back only after DB is unlocked and closed + # otherwise ods-enforcerd will fail. + + db = sqlite3.connect(paths.OPENDNSSEC_KASP_DB) db.row_factory = sqlite3.Row db.execute('BEGIN') @@ -565,4 +576,16 @@ with ods_db_lock(): for zone_row in db.execute("SELECT name FROM zones"): sync_zone(log, ldap, dns_dn, zone_row['name']) +except Exception as ex: + msg = "ipa-ods-exporter exception: %s" % ex + raise ex + +finally: + try: + if db: + db.close() + finally: + if conn: + send_systemd_reply(conn, msg) + log.debug('Done') |